laurentsimon
commented
1 year ago There's a WIP sigstore-go which aims at reducing the dependencies to a minimum. Once it's ready, we'll use that?
Open naveensrinivasan opened 1 year ago
laurentsimon
commented
1 year ago There's a WIP sigstore-go which aims at reducing the dependencies to a minimum. Once it's ready, we'll use that?
justaugustus
commented
1 year ago There's a WIP sigstore-go which aims at reducing the dependencies to a minimum. Once it's ready, we'll use that?
That sounds like a plan!
naveensrinivasan
commented
1 year ago There's a WIP sigstore-go which aims at reducing the dependencies to a minimum. Once it's ready, we'll use that?
We already have this https://github.com/sigstore/sigstore
laurentsimon
commented
1 year ago IIUC, this https://github.com/sigstore/sigstore-go is the library WIP that will minimize the logic / number of deps
spencerschrock
commented
3 months ago https://github.com/sigstore/sigstore-go now has signing support, so it may be possible to make the change soon https://github.com/sigstore/sigstore-go/releases/tag/v0.4.0
v0.4.0 includes signing support as well as the verification and signing API moving from unstable to beta
At the moment we use cosign to sign our payload. Cosign brings in a lot of dependencies.
We could replace it with something like this https://github.com/slsa-framework/slsa-github-generator/blob/c3a3e407b10cc6dbbb44d01e0ebdded5c6b22f12/signing/sigstore/rekor.go#L63